cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12674
Views
10
Helpful
5
Replies

Cisco ASA 5545-X Firewall Rules - Bidirectional

Steven Chua
Level 1
Level 1

Hi,

 

I am a bit confuse on the Cisco ASA bidirectional firewall rules. From my understanding, bidirectional firewall rule means that both the source and destination can initiate a connection to each other with the same port. For example, server A (source) initiate a connection to server B (destination) on port 445 and server B (destination) will/can initiate a connection to server A (source) on port 445.

 

However, when I checked the Cisco website, it says that “For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectional connections.”. I have attached the link below. Its seems like in Cisco ASA the term bidirectional firewall rules means that for the go and return traffic and not both the source and destination can initiate a connection to each other with the same port.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_rules.html#wp1083607

 

Thus, I  would like to ask if I would need to create a rules on the Cisco ASA, that both the source and destination can initiate a connection to each other with the same port, does it mean that I will need to create two rules at each firewall interface of the Cisco ASA (eg Server A to Server B and then Server B to Server A with the same port). In my current setup, all the vlans default gateway are terminating on the Cisco ASA. There are two different servers in two different vlans, both the severs need to initiate a connection to each other with the same port. Thus, what should I do?

 

Please advise.

2 Accepted Solutions

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi,

 

You need to have the bi-directional access whenever there is necessity.... for a general internet access from LAN would not need a bi-directional access which will be taken care by state full firewall..... same way if it is a video conferencing kind of setup then it requires bi-directional access to allow it.... because the traffic can be initiated from both the ends..... generally for return traffic you don need to mention any rules in ASA.... If you have both the servers connected to the same interface of the ASA... then you need to enable hair pinning to access server A to server B and Server B to Server A....

 

Hope this helps.

 

Regards

Karthik

View solution in original post

Bidirectional mainly refers to NAT rules.  Static NAT/PAT rules are bidirectional while dynamic NAT is not bidirectional...ie. both source and destination can initiate traffic.

For ACLs however you would need to configure permit rules on both interfaces to allow traffic to be initiated from either side.  The only exception here would be if the interfaces have the same security level, and you have configured same-security-traffic permit inter-interface, then you would not need the access rules.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

nkarthikeyan
Level 7
Level 7

Hi,

 

You need to have the bi-directional access whenever there is necessity.... for a general internet access from LAN would not need a bi-directional access which will be taken care by state full firewall..... same way if it is a video conferencing kind of setup then it requires bi-directional access to allow it.... because the traffic can be initiated from both the ends..... generally for return traffic you don need to mention any rules in ASA.... If you have both the servers connected to the same interface of the ASA... then you need to enable hair pinning to access server A to server B and Server B to Server A....

 

Hope this helps.

 

Regards

Karthik

Hi Karthik,

Thanks.

What I am looking at is when the servers are connected to different interface/subnet and traffic can be initiated from either servers. I believe I would need to config the rules at each individual interface unlike other brand firewall where I can just enable the bi-directional option for the rules.

Please correct me if I am wrong.

Thks and Rgds

Bidirectional mainly refers to NAT rules.  Static NAT/PAT rules are bidirectional while dynamic NAT is not bidirectional...ie. both source and destination can initiate traffic.

For ACLs however you would need to configure permit rules on both interfaces to allow traffic to be initiated from either side.  The only exception here would be if the interfaces have the same security level, and you have configured same-security-traffic permit inter-interface, then you would not need the access rules.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thank you for the rating smiley

--
Please remember to select a correct answer and rate helpful posts

Hi Don,

 

Yes. If you have a scenario where you initiate traffic from both the directions then you require bi-directional flow to allow it.... say you have server-A in inside1 interface and server-B in inside2 interface of the ASA.... where you initiated access from serverA to Server B & access initiated from server B to server A.... then you need to allow in ACL specifically on the respective interface mapped ACL's with bi-directional flow....

Same way if you want to access only from one way.... say you want server A to access Server B..... you dont have server B initiated traffic to server A.... then you don need bi-directional ACL....

you just need to allow one-way traffic return traffic will be allowed using stateful inspection.....

 

Please do rate for the helpful posts and do remember to select correct answers.

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: